Sobelow CSWH check, unsure about the validity of its finding

I created a new LiveView application and installed sobelow, which immediately gives me a finding of:

Config.CSWH: Cross-Site Websocket Hijacking - Low Confidence
File: lib/my_project_web/endpoint.ex
Line: 18

which refers to the LiveView socket:

socket "/live", Phoenix.LiveView.Socket, websocket: [connect_info: [session: @session_options]]

So to solve a potential problem, I added a check_origin: true option to the websocket options, but the finding is still there. Looking at the source, it seems that the finding will always be present, if there are any websocket options given as a keyword list, regardless of whether the origin is checked or not. Only the confidence varies:

  defp check_socket_options([{:websocket, options} | _]) when is_list(options) do
    case options[:check_origin] do
      false -> {true, :high}
      _ -> {true, :low}
    end
  end

I’m uncomfortable ignoring security warnings without grokking why the warning is there in the first place, so I’d definitely like to understand this more. Would checking the origin not actually solve the problem? Am I misunderstanding something about the vulnerability? Or should I open a pull-request to insert a true -> {false, :high} clause?

1 Like

I’ll leave it to @griffinbyatt to give the definitive answer, but in general it is virtually impossible with static analysis alone to rule out false negatives (or positives). Full data flow analysis would require concolic testing or IAST-style runtime verification of findings.

Sobelow is probably erring on the side of caution, flagging the use of a feature that requires special security considerations. The low confidence finding is saying that everything appears to be configured correctly, while still raising awareness of the potential risk.

3 Likes

I’m a security person in my day job, so I know about the limitations of static analysis, and I totally get raising awareness. But the way this check works, it doesn’t feel to me that this is what’s happening here: Why is there no finding if I simply say websocket: true instead of websocket: [...options...] in the socket call? Case in point: the default socket "/socket" ... two lines up does not get flagged:

socket "/socket", CaplaWeb.UserSocket,
    websocket: true,
    longpoll: false

This is why I’m confused: If one of these lines needs awareness, then surely both of them need it? Or am I missing the point?

1 Like

Replying to myself for future reference, this was fixed in https://github.com/nccgroup/sobelow/commit/50052461ea4be411d495e479383d219ae8231203 which is included in sobelow 0.10.5.

1 Like